feat(falcon-imageanalyzer): Add image exclusions

Author: gpontejos-cs

api/falcon/v1alpha1/falconimageanalyzer_types.go

@@ -180,6 +180,10 @@ type Exclusions struct {
 	// Configure a list of namespaces for Image Analyzer to ignore.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Namespace List",order=2
 	Namespaces []string `json:"namespaces,omitempty"`
+
+	// Configure a list of image names for Image Analyzer to ignore.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Images List",order=3
+	ImageNames []string `json:"imageNames,omitempty"`
 }
 
 type RegistryConfig struct {

api/falcon/v1alpha1/zz_generated.deepcopy.go

@@ -258,6 +258,11 @@ func (in *Exclusions) DeepCopyInto(out *Exclusions) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.ImageNames != nil {
+		in, out := &in.ImageNames, &out.ImageNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exclusions.

config/crd/bases/falcon.crowdstrike.com_falcondeployments.yaml

@@ -3364,6 +3364,12 @@ spec:
                       exclusions:
                         description: Exclusions for the Falcon Image Analyzer.
                         properties:
+                          imageNames:
+                            description: Configure a list of image names for Image
+                              Analyzer to ignore.
+                            items:
+                              type: string
+                            type: array
                           namespaces:
                             description: Configure a list of namespaces for Image
                               Analyzer to ignore.

config/crd/bases/falcon.crowdstrike.com_falconimageanalyzers.yaml

@@ -125,6 +125,12 @@ spec:
                   exclusions:
                     description: Exclusions for the Falcon Image Analyzer.
                     properties:
+                      imageNames:
+                        description: Configure a list of image names for Image Analyzer
+                          to ignore.
+                        items:
+                          type: string
+                        type: array
                       namespaces:
                         description: Configure a list of namespaces for Image Analyzer
                           to ignore.

deploy/falcon-operator.yaml

@@ -6766,6 +6766,12 @@ spec:
                       exclusions:
                         description: Exclusions for the Falcon Image Analyzer.
                         properties:
+                          imageNames:
+                            description: Configure a list of image names for Image
+                              Analyzer to ignore.
+                            items:
+                              type: string
+                            type: array
                           namespaces:
                             description: Configure a list of namespaces for Image
                               Analyzer to ignore.
@@ -8143,6 +8149,12 @@ spec:
                   exclusions:
                     description: Exclusions for the Falcon Image Analyzer.
                     properties:
+                      imageNames:
+                        description: Configure a list of image names for Image Analyzer
+                          to ignore.
+                        items:
+                          type: string
+                        type: array
                       namespaces:
                         description: Configure a list of namespaces for Image Analyzer
                           to ignore.

docs/deployment/openshift/resources/imageanalyzer/README.md

@@ -59,6 +59,7 @@ spec:
 | imageAnalyzerConfig.priorityClass.name        | (optional) Set to avoid pod evictions due to resource limits.                                                                                                                                           |
 | imageAnalyzerConfig.exclusions.registries     | (optional) Set the value as a list of registries to be excluded. All images in that registry(s) will be excluded                                                                                                    |
 | imageAnalyzerConfig.exclusions.namespaces     | (optional) Set the value as a list of namespaces to be excluded. All pods in that namespace(s) will be excluded                                                                                                     |
+| imageAnalyzerConfig.exclusions.imageNames     | (optional) Set the value as a list of fully qualified image names to be excluded.                                                                                                    |
 | imageAnalyzerConfig.imagePullPolicy           | (optional) Configure the image pull policy of the Falcon Image Analyzer                                                                                                                                           |
 | imageAnalyzerConfig.imagePullSecrets          | (optional) Configure the image pull secrets of the Falcon Image Analyzer                                                                                                                                          |
 | imageAnalyzerConfig.registryConfig.credentials | (optional) Use this to provide registry secrets in the form of a list of maps. e.g.<pre>- namespace: ns1<br>&nbsp;&nbsp;secretName: mysecretname</pre>To scan OpenShift control plane components, specify the cluster's pull secret: <pre>- namespace: openshift-config<br>&nbsp;&nbsp;secretName: pull-secret</pre>  |

docs/resources/imageanalyzer/README.md

@@ -59,6 +59,7 @@ spec:
 | imageAnalyzerConfig.priorityClass.name        | (optional) Set to avoid pod evictions due to resource limits.                                                                                                                                           |
 | imageAnalyzerConfig.exclusions.registries     | (optional) Set the value as a list of registries to be excluded. All images in that registry(s) will be excluded                                                                                                    |
 | imageAnalyzerConfig.exclusions.namespaces     | (optional) Set the value as a list of namespaces to be excluded. All pods in that namespace(s) will be excluded                                                                                                     |
+| imageAnalyzerConfig.exclusions.imageNames     | (optional) Set the value as a list of fully qualified image names to be excluded.                                                                                                    |
 | imageAnalyzerConfig.imagePullPolicy           | (optional) Configure the image pull policy of the Falcon Image Analyzer                                                                                                                                           |
 | imageAnalyzerConfig.imagePullSecrets          | (optional) Configure the image pull secrets of the Falcon Image Analyzer                                                                                                                                          |
 | imageAnalyzerConfig.registryConfig.credentials | (optional) Use this to provide registry secrets in the form of a list of maps. e.g.<pre>- namespace: ns1<br>&nbsp;&nbsp;secretName: mysecretname</pre>To scan OpenShift control plane components, specify the cluster's pull secret: <pre>- namespace: openshift-config<br>&nbsp;&nbsp;secretName: pull-secret</pre>  |

docs/src/resources/imageanalyzer.md.tmpl

@@ -59,6 +59,7 @@ spec:
 | imageAnalyzerConfig.priorityClass.name        | (optional) Set to avoid pod evictions due to resource limits.                                                                                                                                           |
 | imageAnalyzerConfig.exclusions.registries     | (optional) Set the value as a list of registries to be excluded. All images in that registry(s) will be excluded                                                                                                    |
 | imageAnalyzerConfig.exclusions.namespaces     | (optional) Set the value as a list of namespaces to be excluded. All pods in that namespace(s) will be excluded                                                                                                     |
+| imageAnalyzerConfig.exclusions.imageNames     | (optional) Set the value as a list of fully qualified image names to be excluded.                                                                                                    |
 | imageAnalyzerConfig.imagePullPolicy           | (optional) Configure the image pull policy of the Falcon Image Analyzer                                                                                                                                           |
 | imageAnalyzerConfig.imagePullSecrets          | (optional) Configure the image pull secrets of the Falcon Image Analyzer                                                                                                                                          |
 | imageAnalyzerConfig.registryConfig.credentials | (optional) Use this to provide registry secrets in the form of a list of maps. e.g.<pre>- namespace: ns1<br>&nbsp;&nbsp;secretName: mysecretname</pre>To scan OpenShift control plane components, specify the cluster's pull secret: <pre>- namespace: openshift-config<br>&nbsp;&nbsp;secretName: pull-secret</pre>  |

internal/controller/falcon_image_analyzer/configmap.go

@@ -106,6 +106,10 @@ func (r *FalconImageAnalyzerReconciler) newConfigMap(ctx context.Context, name s
 		data["AGENT_REGISTRY_EXCLUSIONS"] = strings.Join(falconImageAnalyzer.Spec.ImageAnalyzerConfig.Exclusions.Registries, ",")
 	}
 
+	if len(falconImageAnalyzer.Spec.ImageAnalyzerConfig.Exclusions.ImageNames) > 0 {
+		data["AGENT_IMAGE_EXCLUSIONS"] = strings.Join(falconImageAnalyzer.Spec.ImageAnalyzerConfig.Exclusions.ImageNames, ",")
+	}
+
 	data["AGENT_DEBUG"] = strconv.FormatBool(falconImageAnalyzer.Spec.ImageAnalyzerConfig.EnableDebug)
 
 	// Registry auto-discovery configuration

internal/controller/falcon_image_analyzer/image_push.go

@@ -49,7 +49,7 @@ func (r *FalconImageAnalyzerReconciler) PushImage(ctx context.Context, log logr.
 	image := image.NewImageRefresher(ctx, log, falconApiConfig, pushAuth, falconImageAnalyzer.Spec.Registry.TLS.InsecureSkipVerify)
 	version := falconImageAnalyzer.Spec.Version
 
-	tag, err := image.Refresh(registryUri, falcon.ImageSensor, version)
+	tag, err := image.Refresh(registryUri, falcon.RegionedImageSensor, version)
 	if err != nil {
 		return fmt.Errorf("Cannot push Falcon Image Analyzer Image: %v", err)
 	}
@@ -139,7 +139,7 @@ func (r *FalconImageAnalyzerReconciler) registryUri(ctx context.Context, falconI
 			return "", err
 		}
 
-		return falcon.FalconContainerSensorImageURI(cloud, falcon.ImageSensor), nil
+		return falcon.FalconContainerSensorImageURI(cloud, falcon.RegionedImageSensor), nil
 	default:
 		return "", fmt.Errorf("Unrecognized registry type: %s", falconImageAnalyzer.Spec.Registry.Type)
 	}
@@ -209,7 +209,7 @@ func (r *FalconImageAnalyzerReconciler) setImageTag(ctx context.Context, falconI
 		return "", err
 	}
 
-	tag, err := registry.LastContainerTag(ctx, falcon.ImageSensor, falconImageAnalyzer.Spec.Version)
+	tag, err := registry.LastContainerTag(ctx, falcon.RegionedImageSensor, falconImageAnalyzer.Spec.Version)
 	if err == nil {
 		falconImageAnalyzer.Status.Sensor = common.ImageVersion(tag)
 	}